[Date Prev][Date Next]
Re: chaining and proxy
Guillaume Rousse wrote:
First of all, in order to do that, slapd-ldap(5), which implements the
chain capability, should know about the details of syncrepl. Second,
the credentials used for syncrepl need to have broad *read*
permissions, while slapo-chain(5) credentials must have broad *authz*
permissions. One might want to use separate identities in order to
craft their permissions appropriately. The fact that slapo-chain(5)
is very useful in conjunction with sync replication is orthogonal to
slapo-chain(5) design. In fact, it was not designed for this purpose.
I guess you're referring to syncrepl for multi-master replication
scenarios, right ? In my case, I'm using slapo-chain to allow my user to
change their password, whereas they only access the slave server.
Meaning I only push user-triggered changes to the master. Sorry if I was
not clear enough.
No, I was exactly referring to your case. What I mean, if I got you
correctly, is that you'd like to reuse the identity you set in the
syncrepl statement for the slapo-chain(5) you use to automatically
redirect write requests to the master. This could be done, but it
hasn't been done since the use of slapo-chain(5) is, IMHO, orthogonal to
that of syncrepl.
Of course one could think of adding sort of a "chain-replication"
keyword, so that referrals matching a shadow context are chained using
the credentials of the syncrepl stanza (you could file a feature request
OK, thanks for the explanation.
I was also curious to know if the slapauth tool was usable to test
such kind of proxy setup. Reading the man page, it seems rather
adapted to testing identity mapping through authz-regexp directives.
No. In fact, slapauth only tests authz-rgexp mapping, while what you
want is something similar to authz-regexp but specific to
slapd-ldap(5), and thus buried in its internals. Since it results in
an RFC 4370 proxied authorization control, it could be interesting to
have a companion of the RFC 4532 who am I? operation that tells how a
DSA is going to authorize when chaining an operation, and what the who
am I? operation returned after chaining. However, I believe this
would only be useful for "maintenance" checking, as the whole purpose
of slapo-chain(5) is to hide the fact that operations are not handled
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497